ScreenOS Firewalls (NOT SRX)
Reply
New User
RACAdmin
Posts: 1
Registered: ‎11-17-2008
0

SSG5 Dual ISP scenario possibility

Hi All.

I have a SSG5 Screen OS 6.2.0 running in Failover mode, everything works fine.

But I have been hit up with a scenario, that I do not know if it is possible.

 

Eth 0/0 ISP1

Eth 0/1 ISP2

 

Can I have a VPN on Eth 0/0 that if ISP1 goes down, will failover to Eth 0/1 ISP2? (Simply Yes, but please read on)

While with the above VPN failover, can I have all other traffic go out Eth 0/1 ISP2, and fail over to Eth 0/0 ISP1 if ISP2 goes down?

 

Hope that makes sense.

 

Thanks In Advance for any responses.

Trusted Contributor
Munpe_Q
Posts: 192
Registered: ‎10-02-2008

Re: SSG5 Dual ISP scenario possibility

[ Edited ]

Absolutely, that's cake.  It's all routing once you have the tunnel's setup across each ISP.  Your routing entries would simply use metrics and/or preferences and have a higher metric/preference for one tunnel interface over the other.  Once that VPN drops, the higher preferred route will become inactive and the secondary route will become active.  It's effectively the same thing with the un-encrypted traffic.  But your question is also the same result, if ISP1 goes down then everything will failover to ISP2, and then will failback to ISP1 once it comes back up.  The tunnel will inherently fail because outbound traffic is horked altogether.

 

So, your VPN routing entries could look like this:

 

set route 192.168.1.0/24 int tunnel.1 preference 20 metric 20

set route 192.168.1.0/24 int tunnel.2 preference 20 metric 30

 

You could also do two default routes for Internet traffic, either with equal (possibly also using ECMP) or un-equal preferences.

 

set route 0.0.0.0/0 int e0/0 gate 1.1.1.1 preference 20 metric 20 

set route 0.0.0.0/0 int e0/1 gate 2.2.2.2 preference 20 metric 30

 

 

Just a start, let me know if I misunderstood your goal.

 

 

Message Edited by Munpe_Q on 11-17-2008 05:12 PM
-=Q
New User
RAC-Admin
Posts: 1
Registered: ‎11-21-2008
0

Re: SSG5 Dual ISP scenario possibility

[ Edited ]

Great!

 

That sounds exactly like what I need.

 

So if I understand you, and what needs to be done.

 

I will do this by frist doing away with "Backup" since backup/failover mode keeps one port in "Down" state.

 

And just keep them both "up" ports and then do the routing you indicated?

 

 

Same person as original poster, but is says my Forums Alias is in use by another account.

 

 

Message Edited by RAC-Admin on 11-21-2008 08:59 AM
Trusted Contributor
Munpe_Q
Posts: 192
Registered: ‎10-02-2008

Re: SSG5 Dual ISP scenario possibility

[ Edited ]

Keep everything like you have it and just implement some basic routes as I mentioned.  The interfaces will always be up, but the routes that have a higher metric/preference will be inactive until you have a link down state.  Now, that being said this brings up a point that I failed to mention earlier.  

 

If you don't have a link down, the first default route will always stay active.  So you will also need to implement track-ip on the primary and/or secondary ISP interfaces.  Track-ip will monitor via ping (default) a device upstream from the firewall and/or router and if it's unreachable, it can cause a failover to the second monitored interface. Your other option is to implement a link state routing protocol to detect a bad route and cause routing to reconverge and choose a different path.

 

A completely different option altogether is to implement PBR and/or source based routing, but start with the first suggestion, modify it with the track-ip I mentioned and see if that meets your requirements.  If not, build off of that.

 

Palabra.

 

 

Message Edited by Munpe_Q on 11-21-2008 05:36 PM
-=Q
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.